Sony Reels From Multiple Hacker Attacks In the past, many organizations - from Sony to NASA to the New York Times - have fallen victim to hacking incidents. In addition to costing organizations money, data breaches have also taken a significant toll on the trust customers have on affected businesses. It is therefore important to note that as entities continue to accumulate more PII of clients, the relevance of having in place adequate security measures cannot be overstated. This text reviews the 2011 Sony PSN hacking debacle. In so doing, it amongst other things discusses some of the measures that organizations ought to take to protect the private information of users. The text also speculates on why organizations are slow to report or acknowledge instances of data breach.

Sony Reels from Multiple Hacker Attacks

Overview

In the month of April, 2011, Sony experienced a massive external intrusion on its PlayStation Network. During the said intrusion, the account information of scores of the media conglomerate's PSN customers was accessed by the hackers. The damages Sony Suffered as a consequence of this particular outage are immense; this is particularly the case should one take into consideration the resulting compensation to users, the outcome of the various legal suits brought against the company, the costs associated with the release of security patches and other fixes, fines, loss of revenues during the outage period, loss of goodwill, etc.

To begin with, as part of the company's "Welcome Back" program, the existing members of PS (plus) service were granted a 30 additional days on their subscription (Yin-Poole, 2011). The program according to Yin-Poole was "designed to reward customers affected by the outage." Some of the security measures the company implemented, and for which it also had to incur some costs, include but they are not limited to, establishment of additional firewalls, enhancement of data encryption and protection, etc. In the UK, Sony according to Halliday (2013) was fined a total of 250,000 pounds for its failure to take appropriate measures to protect the information of users that had been compromised as a result of the hack. This according to Halliday (2013) is the largest fine ICO has imposed in recent times.

The total cost of the hacking incident has been estimated by various analysts to run into many millions of dollars. It would be difficult to in this case come up with the exact cost of the debacle. While Sony itself claims a total loss of $105 million, analysis such as Michael Pachter as Dutton (2012) observes are convinced that the company lost tens of millions. As Dutton further points out, one research manager at the International Data Corporation - IDC puts the total cost of breach at $250 million.

Most gamers, as the president of DFC Intelligence observes, do not "really hold a grudge against Sony" for this unfortunate intrusion incident (Dutton, 2012). As the author further points out, reputation wise, the company seems to have emerged from the debacle unscathed. This could be attributed to Sony's excellent handling of the entire incident. In that regard therefore, it would be safe to state that the incident cost Sony very few of its customers. As a matter of fact, Sony could have, in the final analysis, gained additional customers. According to the company, in addition to triggering the re-activation of approximately three million accounts that had been dormant, the breach led to activation of new accounts as more gamers joined the system (Dutton, 2012). As strange as this may sound, it is a claim collaborated by Jesse Divnich, the Vice President of EEDAR. In his opinion, the company's welcome back initiative could have exited customers -- both new and existing (Dutton, 2012). In other instances, such an incident could have led to a massive customer walkout.

One year after the hacking debacle, i.e. As of April, 2012, there were "no verifiable reports of any account holders having actual hard cash stolen or IDs hijacked" (Dutton, 2012). So far, i.e. As of December 2013, there has been no credit card fraud report that has been directly attributed to the data breach. Although no hack has in the recent past been successful or as massive as the one this text concerns itself with, Sony has had its PSN attacked at least one more time. For instance, in October 2011, intruders staged an unsuccessful attack on the company's PSN in an attempt to gain access to the various accounts of users (Hosaka, 2011).

2. Protecting the Private Information of Customers

Virtual services on the Internet routinely store PII and credit card information...

This effectively puts such information at risk of exposure should a hacking attempt succeed. In that regard, therefore, the need to have in place effective and adequate protection measures to protect the private information of clients cannot be overstated. According to Stewart (2013), there are two distinct security areas that companies processing credit card transactions and selling products over the internet must address. These according to the author include Transaction security and network security. When it comes to network security, Stewart (2013) points out that equipments attached to the Internet either directly or indirectly should be protected. On this front, the author notes that "firewalls serve an important role…" (Stewart, 2013, p. 377). With regard to transactional security, Stewart observes that to ensure that private transactions between web servers and other entities are securely completed, there is need to encrypt the said transactions. Hypertext Transfer Protocol Secure (HTTPS) is critical on this front (Stewart, 2013). The other measures an organization could adopt to protect customer interests and information include but they are not limited to setting "rules regarding access to the data, how the data is received, stored and transmitted, what information can be sent within the organization and what can be passed along to third parties" (Brooks, 2012). It is however important to note that even with adequate security measures in place, an attacker can still gain access to an organization's systems by exploiting a single vulnerability. In that regard therefore, no entity can boast of having in place virtually impenetrable protection measures.
3. Rehabilitating Hackers

If law enforcement agencies succeed in tracking down and arresting an extremely intelligent hacker, I believe there is every reason to "turn" such an individual into what some refer to as an ethical hacker. This would be more beneficial than sending such an individual to jail.

Converted intelligent hackers could become computer security analysts, consultants, or researchers. In such positions, they can greatly help reduce chances of attack on networked information systems. Further, in addition to helping flag system vulnerabilities, convert hackers can also come in handy in the development of security patches to help seal exploits and loopholes before they are utilized by individuals with ulterior motives. Some of the hackers from the past who have since converted and are now regarded digital world gems include but they are not limited to Kevin Mitnick and Sven Juschan. While Mitnick was, according to Warman (2009), at some point regarded America's most wanted hacker for his hacking exploits, Juschan earned his place in the hackers' 'hall of fame' while still a teenager for his role in the development of two worms that were at the time "found to be responsible for 70 per cent of all the malware seen spreading over the internet" (Warman, 2009). Today Mitnick according to Warman (2009) runs a successful computer security consultancy firm. Juschan on the other hand was according to Warman (2009) later on hired by Securepoint -- a respected firewall firm. In the final analysis therefore, it is not difficult to see why it would be better to rehabilitate an intelligent attacker, instead of sending them to jail.

4. Reluctance of Businesses to Announce Data Breaches

More often than not, businesses grossly understate the extent of data breaches. Additionally, many businesses appear reluctant to even acknowledge instances of such breaches. For instance, during the Sony hack debacle, the company was at first quick to downplay the extent of the external intrusion. When it first learnt of the attack, i.e. On April 20th 2011, the company according to Williams (2011) did not make an announcement. However, some hours later - after making the said discovery, the company issued a vague statement -- explaining that it was aware some of the PSN's functions were down. Users who attempted to sign in during the first two or so days were welcomed by a message stating that some maintenance work was on course across the network. On April 22nd 2011, the company requested its customers for more time -- "a full day or two" -- to investigate the extent of the outage and hence get the service running again (Williams 2011). The "full day or two" turned out to be 23 days. This is just but a classical case of the typical reaction of companies to downplay not only the extent but also the seriousness of data breaches. Other companies that have found themselves in the same situation as Sony include but they are not limited to…